First the government is the largest employer in the United States. Also the government funds and employs the most cryptographers. STEM is also promoted by governments.
So when I say what I say you can track each of those data points to see the basis behind it. I’m not saying it because of a world view or beliefs, I’m interpreting the data. My speculation of course can be wrong but from the data I have it seems right.
As for rounding us up, that already has happened in the past. Most of the activists from the 1960s did end up in prison or with their lives destroyed. It was called COINTELPRO. In the rest of the world it was called OPERATION GLADIO.
You can look up both of those programs to see what governments have done in the past. If that could happen in the past why would it be different for Internet activists? Why would Internet activists have a different fate from the generations of activists who are political prisoners?
I would say that perhaps SAFE Network is a form of activism, and perhaps using SAFE Network politically is a form of protest, but in history, protests don’t always end well for the protesters. It is important to know the history of activism in my opinion and if SAFE Network is truly about activism that is fine but it also means a lifetime of being tracked if you choose that path.
World civilian research or just US civilians? The NSA isn’t the only intelligence agency that breaks codes. I highly doubt that people on the Internet are able to compete with governments based on the fact that cryptographers cost a lot of money and governments control the flow of money.
I don’t assume governments wont remain in control of the flow of money. I highly doubt SAFE Network or the whole 4 billion dollar Bitcoin (12 billion if you want to be generous) economy is enough to compete with the NSA.
There just isn’t enough money yet for the top minds to move into cryptocurrency. This isn’t to say some of the top minds aren’t in it, or that most aren’t, but the top minds in crypto can make a lot more money in government at this time working for the NSA, GCHQ, etc.
When that changes then it changes but for now that is how it is. The agencies seem to have practically limitless resources while SAFE Network relies on volunteers a lot of the time.
You are making a huge fruit salad mixing projects and agencies that are not related with historical facts that are anachronic and then making the very simplistic amalgamation of “government” conspiracies; you ignore that in governments the right hand doesn’t know what the left hand does, the amount of interdepartmental friction and lack of communication in bureaucratic structures is the norm. Also putting education programs into the mix as suspicious, it’s really not only funny but also fantastically conspirative that is beyond reason.
It is really all over the place, and off on a tangent.
By the way, as I said, the intelligence community as a whole doesn’t have currently a big advantage in cryptanalytic skills over what the civilian community of researchers have in hand.
You mention about being the biggest employers, wanna bet that the open source security community, specialists and college professors in the world are not head to head with them?
Really, the ANT projects in the NSA that were leaked by Snowden aren’t really that impressive. We had hobbyists making them since the 80s.
What shocks is the level and breadth of violations and the impunity they execute in the name of -bullshit- I mean, national security.
But besides that, what they do is not technically that advanced to what the “civilian” world have to offer.
And as I said before, the evidence in front of our eyes say that we have the upper hand with the open source cryptographic projects.
Cryptography is the Promethean fire, it really levels the field between the gods and the mere civilians.
In fact, if they weren’t desperate about it they wouldn’t be lobbying to backdoor cryptosystems.
We don’t even for sure know the budget but we can estimate. Based on the electric bill of the NSA and the stories like this one:
You and I have a difference of opinion. I do not underestimate government capabilities. If you think I’m overestimating government capabilities then your decisions can reflect your estimation of government capabilities.
Cryptography is a false sense of security. Brute force isn’t how most codes are broken. Enigma wasn’t broken by brute force either. Codes are broken due to human error, bugs in implementation, backdoors in hardware and software.
The Germans believed Enigma wasn’t broken even though it was. While crypro algorithms are theoretically secure there is no way to implement them in a secure enough way that government agencies can’t break it. My point isn’t that somehow AES 256 can be broken brute force, but that you can’t implement it right as a civilian to guarantee with 100% certainty that it’s not vulnerable.
The point is simple, you don’t have practical security. You have theoretical security. You have to separate the two concepts. AES 256 is theoretically secure, 100% secure if implemented perfectly. There is likely no perfect implementation of it, so you don’t have a way to know for example if the software you run on your computer is actually doing what you think it’s doing, or if the hardware isn’t leaking the private keys or contains backdoors.
In fact on the hardware side it’s theoretically impossible to distinguish between a chipset with no backdoor and a chipset with a backdoor. The hardware trojan can be invisible, which means you have no way to really say that any software running on civilian chipsets is trustworthy.
The best we can do really is develop trustworthy computing, which is built in trusted foundries, open hardware designs, peer audited, verified computation. This is the highest level of security you can have right now in civilian space, and you can do banks, the stock market, and virtually anything you want with it, but the security is due to the fact that if there is a backdoor in it then more than likely whatever you are doing isn’t going to be important enough for intelligence agencies to reveal their hand and reveal the potential backdoor but that doesn’t mean you should assume with 100% certainty that backdoors aren’t there.
This statement alone reveals how little you understand about the technical aspects of it, and also you fail to understand the historical relevance of this event.
Sorry to be blunt.
But now it is even more understandable why you are so conspirative about it.
You seem to underestimate the power of human ingenuity and the power of pooled resources in academia.
The only current advantage of the intelligence community (and with this I refer to them all, especially when all the techniques used by the NSA is shared and used with all their allies. That’s how it works.) is the carte blanche to do unethical shit in scale.
And an event as meaningful as “the bombe” would be a cryptanalytic system based on quantum computing, but this is such an obvious move that even if achieved it will be rendered meaningless.
You are overestimating the institutional powers shrouded in some kind of almost supernatural magnificence.
Really, this perception is not really that far from what the Promethean tale is about: the difference between gods and humans was just a single technical advantage, the dominance over fire.
That was stolen and was made public to the commoners, and the balance power got shaken and threatened to be shifted.
This ancient tale is very applicable to this case.
There was a time where the NSA and the intelligence community (all the references you post are from that era) was really far ahead from any civilian research in cryptography, after all, it was a military technique.
Today the playing field has changed a lot. To become a cryptographer or a cryptoanalyst you don’t have to join the military or become a contractor with an intelligence agency, you can become one as civilian in some university or by yourself and have vast resources for research.
Yes, some projects will be funded by the government but that doesn’t mean anything really as long as they are fully open source and auditable.
You really seem to underestimate the power that these gives us against the government.
If you fail to understand that, well there is no point in furthering this discussion.
Prove I don’t know what I’m talking about. If you’d like to discuss cryptography or information security have at it. Of course anyone can say or believe I don’t know what I’m talking about but you didn’t offer any evidence, cite any sources, or reveal gaps in my knowledge.
I stand by my statements. Enigma was theoretically unbreakable by brute force, and had to be broken by means of capitalizing upon human error. Humans using Enigma made errors which were predictable, and it is that same human error which underlies the vulnerabilities in every crypto-system.
I’ll say it again, if you really believe what you claim to believe then by all means make your decisions based on the knowledge you have. I’ll make my decisions based on the knowledge I have. We’ll find out who is right later on and maybe we can both have learned something.
Let me summarize below my conclusions and then you can share yours.
According to the knowledge I have and the risks assessments I’ve done, there likely isn’t any way to 100% trust hardware, software ,or human beings. All risk can be measured in a risk assessment and in no risk assessment can you make the claim that a cryptosystem is 100% secure in practice. We can make claims that algorithms are 100% theoretically secure and there are many algorithms like that but that really has little to do with whether you can implement it.
There is no 100% secure practical implementation of any cryptosystem.
You cannot put 100% trust in the security of hardware, software, or human beings within a crypto system.
A theoretically secure cryptosystem which cannot be practically secure is vulnerable to side channel attacks, human error, and much more.
SAFE Network security can be quantified by a risk assessment, and in any risk assessment you have to factor in hardware trojans from which we have no defense against, possible zero day vulnerabilities in operating systems or random number generators, possible undetectable backdoors in code SAFE Network relies upon, possible human error in the form of bugs which open SAFE Network up to vulnerabilities.
In any professional risk assessment by any cybersecurity professional you will find that SAFE Network isn’t 100% secure from intelligence agencies and if it were then intelligence agencies would want to use it themselves. It is said for example that PGP is very secure and the algorithm is, but if you generate your random numbers on Windows and that random number generator isn’t really producing random numbers then everything you encrypted will be broken.
So when assessing security what you’re doing is assessing the risks. What is the probability that different negative events can happen to you if you use SAFE Network?
Of course I can say SAFE Network is likely more secure than putting your data on Dropbox, or Google Drive, but I can’t say it’s going to be so secure that GCHQ can’t access it. Furthermore I would not want to give anyone a false sense of security by implying that all the intelligence agencies in the world will not be able to ever break SAFE Network or that they don’t have ways.
The only honest answer is we do not know. It’s better to admit when we do not know than to tell people that SAFE Network will protect them from every intelligence agency in the world, and let random Windows users think somehow it’s more secure than their operating system, or their Intel CPU.
I’ll be very specific because I think I know where we disagree. We disagree not on the fact that theoretical knowledge is equal. Any civilian such as you or I can have the same theoretical knowledge as the NSA or other intelligence agencies and perhaps we do.
That knowledge doesn’t help when it comes to implementing cryptosystems. Implementation does require the military, it literally requires a bunker, it might require quantum key distribution, it might require specifically designed hardware, with chips produced in a trusted foundry where every component and every person involved is carefully audited.
So even if any of us can design a nice algorithm, we will not have the hardware to implement it on, or the trusted personnel to create the hardware and software implementations, nor do we have quantum cryptography on the civilian level.
AES 256 isn’t enough if you’re just going to run it on an Intel which could have a backdoor put in it by the Chinese. So now you have to trust all these different parts of an untrusted supply chain and hope none of them put a backdoor? I agree with you that there is no knowledge gap when it comes to theoretical knowledge, but knowledge alone doesn’t create security when it’s all about practical implementation.
We simply do not have trusted components from which to build out any of the theoretically secure cryptosystems that we can think up. Thinking them up is easy but implementing is very expensive, very difficult, and requires trusted skilled personnel which you’re not going to find off the street. Most people off the street, or even college professors, aren’t going to know how to properly generate keys, how to handle keys, how to design their own circuits and produce hardware, and in the end 99.9% of people just rely on centralized corporations to do that for them.
So ordinary Internet users will simply install SAFE Network on their closed source Windows 10 computers, running on their Intel processors.
I am not saying that it is 100% safe, never claimed that so I won’t fall into that red herring.
What I am saying is that the opportunity of finding such failures is pretty much 50/50 between the intelligence community and the civilian researchers from the security community around the world.
The intelligence community will definitely have their zero days, but eventually it will be discovered by us.
The window of opportunity has been reduced drastically in modern times.
The power of civilian research is evidenced in the creation of AES itself, it was a contest and it is literally a civilian effort.
You got to wonder, why didn’t the NSA postulate his own home brewed encryption (or from his allies) algorithm as the standard?
They HAD to rely on a contest from the academic world to find the most robust one for national security.
I don’t disagree with you on the power of civilian researchers. I’m a civilian myself. I disagree with you on civilians being able to implement it.
I don’t see civilians designing secure chips, training trusted personnel, and building bunkers. If civilians have to do all that then they basically have to become an intelligence agency like the NSA.
My point is there is a reason that the NSA is structured as it is, or GCHQ is structured as it is. Protecting secrets is extremely difficult and beyond the means of civilians. Theoretical knowledge is nice but that is just theoretical.
I would say for most users SAFE Network will offer sufficient security. I just personally wouldn’t use SAFE Network thinking that I could somehow be protected from the intelligence community.
The truth is you get a measure of security but it’s mostly political and also due to the fact that intelligence agencies have other more important concerns. I doubt they will even pay much notice to SAFE Network even if somehow there are all kinds of tracking and backdoors.
Silk Road which got a lot of attention in Bitcoin didn’t catch the attention until the price of Bitcoin went up and big money started flowing in. I suppose if billions of dollars in lost tax dollars became an issue then we would find out how secure SAFE Network is.